Practical Windows Forensics

Postmortem analysis

Browser analysis

Prefetch files

Live analysis

Acquisition

Scenario

Introduction

Appendix appB. Case Study

Factors that need to be considered

Appendix appA. Building a Forensic Analysis Environment

Summary

Knowing Bro

Using WireShark

Using tshark

Using tcpdump

Exploring logs

Network data collection

Chapter 12. Network Forensics

Summary

Memory analysis

API hooking

The DLL injection

Network connections in memory

Processes in memory

The sources of memory dump

Memory acquisition

Memory structure

Chapter 11. Memory Forensics

Summary

E-mail investigation

Other browsers

Firefox

Microsoft Internet Explorer

Browser investigation

Chapter 10. Browser and E-mail Investigation

Summary

Windows shortcut files

Windows RecycleBin

Windows Thumbs DB

Windows tasks

Windows prefetch files

Chapter 9. Windows Files

Summary

Extracting Event Logs

Event Logs system

Event Logs - an introduction

Chapter 8. Event Log Analysis

Summary

Registry analysis

Auto-run keys

Parsing registry files

Extracting registry hives

Backing up the registry files

The registry structure

Chapter 7. Registry Analysis

Summary

Foremost

Autopsy

The Sleuth Kit (TSK)

The NTFS filesystem

The FAT filesystem

Hard drive structure

Chapter 6. Filesystem Analysis and Data Recovery

Summary

Plaso in practice

Plaso architecture

Super timeline – Plaso

The Sleuth Kit

Timeline introduction

Chapter 5. Timeline

Summary

Disk wiping in Linux

Evidence integrity (the hash function)

Virtualization in data acquisition

Linux for the imaging of a hard drive

Live imaging of a hard drive

Incident Response CDs

Forensic image

Chapter 4. Nonvolatile Data Acquisition

Summary

Network-based data collection

Memory acquisition

Chapter 3. Volatile Data Collection

Summary

Remote live response

The hardware for IR and Jump Bag

Security fundamentals

Personal skills

Chapter 2. Incident Response and Live Analysis

Summary

Analysis approaches

Digital forensic goals

Digital evidence

Digital forensics

What is digital crime?

Chapter 1. The Foundations and Principles of Digital Forensics

Customer support

Reader feedback

Conventions

Who this book is for

What you need for this book

What this book covers

Preface

Free access for Packt account holders

Why subscribe?

www.PacktPub.com

About the Reviewers

About the Authors

Credits

版权页

封面

封面

版权页

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Why subscribe?

Free access for Packt account holders

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Chapter 1. The Foundations and Principles of Digital Forensics

What is digital crime?

Digital forensics

Digital evidence

Digital forensic goals

Analysis approaches

Summary

Chapter 2. Incident Response and Live Analysis

Personal skills

Security fundamentals

The hardware for IR and Jump Bag

Remote live response

Summary

Chapter 3. Volatile Data Collection

Memory acquisition

Network-based data collection

Summary

Chapter 4. Nonvolatile Data Acquisition

Forensic image

Incident Response CDs

Live imaging of a hard drive

Linux for the imaging of a hard drive

Virtualization in data acquisition

Evidence integrity (the hash function)

Disk wiping in Linux

Summary

Chapter 5. Timeline

Timeline introduction

The Sleuth Kit

Super timeline – Plaso

Plaso architecture

Plaso in practice

Summary

Chapter 6. Filesystem Analysis and Data Recovery

Hard drive structure

The FAT filesystem

The NTFS filesystem

The Sleuth Kit (TSK)

Autopsy

Foremost

Summary

Chapter 7. Registry Analysis

The registry structure

Backing up the registry files

Extracting registry hives

Parsing registry files

Auto-run keys

Registry analysis

Summary

Chapter 8. Event Log Analysis

Event Logs - an introduction

Event Logs system

Extracting Event Logs

Summary

Chapter 9. Windows Files

Windows prefetch files

Windows tasks

Windows Thumbs DB

Windows RecycleBin

Windows shortcut files

Summary

Chapter 10. Browser and E-mail Investigation

Browser investigation

Microsoft Internet Explorer

Firefox

Other browsers

E-mail investigation

Summary

Chapter 11. Memory Forensics

Memory structure

Memory acquisition

The sources of memory dump

Processes in memory

Network connections in memory

The DLL injection

API hooking

Memory analysis

Summary

Chapter 12. Network Forensics

Network data collection

Exploring logs

Using tcpdump

Using tshark

Using WireShark

Knowing Bro

Summary

Appendix appA. Building a Forensic Analysis Environment

Factors that need to be considered

Appendix appB. Case Study

Introduction

Scenario

Acquisition

Live analysis

Prefetch files

Browser analysis

Postmortem analysis